You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Dale Bewley <da...@bewley.net> on 1997/04/09 17:30:02 UTC
suexec/339: suexec will not allow QUERY_STRINGS
The contract type is `' with a response time of 3 business hours.
A first analysis should be sent before: Wed Apr 09 12:00:02 PDT 1997
>Number: 339
>Category: suexec
>Synopsis: suexec will not allow QUERY_STRINGS
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Wed Apr 9 08:30:02 1997
>Originator: dale@bewley.net
>Organization:
apache
>Release: 1.2b8
>Environment:
RedHat 4.1
>Description:
CGIs seem to work fine until you add a ?query_string to them.
Below are relevant entries from the SuExec cgi.log
WithOUT a query string
[10:25:08 09-04-97]: uid: (dale/dale) gid: (dale/dale) suexec-bug.cgi
WITH a query string
[10:25:13 09-04-97]: invalid target user name: (\~dale)
Relevant entry from the ScriptLog
%% [Wed Apr 9 10:25:13 1997] GET /~dale/suexec-bug.cgi?blah HTTP/1.0
%% 500 /home/dale/www/suexec-bug.cgi
%request
Connection: Keep-Alive
User-Agent: Mozilla/4.0b2 (X11; I; SunOS 5.4 sun4m)
Pragma: no-cache
Host: www.bewley.net
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
%response
>How-To-Repeat:
http://www.bewley.net/~dale/suexec-bug.cgi
http://www.bewley.net/~dale/suexec-bug.cgi?foo
>Fix:
>Audit-Trail:
>Unformatted: